[Freeipa-devel] [PATCHES 0114-0115, 0120-0121] DNS: allow to add root zone '.'

Petr Spacek pspacek at redhat.com
Mon Nov 3 12:59:52 UTC 2014 

On 16.9.2014 10:36, Martin Kosek wrote:
> On 09/16/2014 10:30 AM, Martin Basti wrote:
>> On 16/09/14 10:29, Petr Spacek wrote:
>>> On 16.9.2014 10:09, Martin Kosek wrote:
>>>> On 09/16/2014 09:57 AM, Martin Basti wrote:
>>>>> On 16/09/14 09:32, Martin Basti wrote:
>>>>>> On 15/09/14 20:31, Martin Kosek wrote:
>>>>>>> On 09/15/2014 05:16 PM, Martin Basti wrote:
>>>>>>>> On 15/09/14 17:10, Petr Spacek wrote:
>>>>>>>>> On 12.9.2014 15:19, Martin Basti wrote:
>>>>>>>>>> On 03/09/14 12:45, Martin Basti wrote:
>>>>>>>>>>> On 03/09/14 12:27, Martin Kosek wrote:
>>>>>>>>>>>> On 09/02/2014 05:46 PM, Petr Spacek wrote:
>>>>>>>>>>>>> On 25.8.2014 14:52, Martin Basti wrote:
>>>>>>>>>>>>>> Patches attached.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4149
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> There is a bug in bind-dyndb-ldap (or worse in dirsrv), which
>>>>>>>>>>>>>> cause the
>>>>>>>>>>>>>> named
>>>>>>>>>>>>>> service is stopped after deleting zone.
>>>>>>>>>>>>>> Bug ticket: https://fedorahosted.org/bind-dyndb-ldap/ticket/138
>>>>>>>>>>>>> Functional ACK, it works for me. It can be pushed if Python gurus are
>>>>>>>>>>>>> okay
>>>>>>>>>>>>> with
>>>>>>>>>>>>> the code.
>>>>>>>>>>>> Is it safe to commit the change given that bind-dyndb-ldap still crash
>>>>>>>>>>>> when
>>>>>>>>>>>> "."
>>>>>>>>>>>> is removed? Wouldn't it break our CI tests?
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe we should wait until fixed bind-dydnb-ldap is released.
>>>>>>>>>>>> Hopefully it
>>>>>>>>>>>> would be soon.
>>>>>>>>>>>>
>>>>>>>>>>>> Martin
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Freeipa-devel mailing list
>>>>>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>>>> It will broke tests, don't push it until bind-dyndb-ldap is fixed.
>>>>>>>>>>> Currently I'm testing bind-dyndb-ldap related patch.
>>>>>>>>>>>
>>>>>>>>>> Added patches 120 and 121, which are required by DNS to work correctly.
>>>>>>>>>> Patches 120 and 121 add all DNS replicas to zone apex as NS,
>>>>>>>>>> --name-server
>>>>>>>>>> option doesn't add NS record, only changes the SOA MNAME attribute
>>>>>>>>>>
>>>>>>>>>> Original and new patches attached.
>>>>>>>>>
>>>>>>>>> NACK, unfortunately it doesn't work for me:
>>>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>>>>>> ipa: WARNING: '--name-server' is used only for setting up the SOA MNAME
>>>>>>>>> record.
>>>>>>>>> To edit NS record(s) in zone apex, use command 'dnsrecord-mod [zone] @
>>>>>>>>> --ns-rec=nameserver'.
>>>>>>>>>     Zone name: tri.test.
>>>>>>>>>     Active zone: TRUE
>>>>>>>>>     Authoritative nameserver: ns.test.
>>>>>>>>>     Administrator e-mail address: hostmaster.tri.test.
>>>>>>>>>     SOA serial: 1410793406
>>>>>>>>>     SOA refresh: 3600
>>>>>>>>>     SOA retry: 900
>>>>>>>>>     SOA expire: 1209600
>>>>>>>>>     SOA minimum: 3600
>>>>>>>>>     BIND update policy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>>>>>     Dynamic update: FALSE
>>>>>>>>>     Allow query: any;
>>>>>>>>>     Allow transfer: none;
>>>>>>>>>
>>>>>>>>> [root at vm-035 rpms]# ipa dnszone-show tri.test. --all --raw
>>>>>>>>>     dn: idnsname=tri.test.,cn=dns,dc=ipa,dc=example
>>>>>>>>>     idnsname: tri.test.
>>>>>>>>>     idnszoneactive: TRUE
>>>>>>>>>     idnssoamname: ns.test.
>>>>>>>>>     idnssoarname: hostmaster.tri.test.
>>>>>>>>>     idnssoaserial: 1410793408
>>>>>>>>>     idnssoarefresh: 3600
>>>>>>>>>     idnssoaretry: 900
>>>>>>>>>     idnssoaexpire: 1209600
>>>>>>>>>     idnssoaminimum: 3600
>>>>>>>>>     idnsallowquery: any;
>>>>>>>>>     idnsallowtransfer: none;
>>>>>>>>>     idnsAllowDynUpdate: FALSE
>>>>>>>>>     idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE
>>>>>>>>> krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP;
>>>>>>>>>     nsrecord: vm-035.idm.lab.eng.brq.redhat.com.
>>>>>>>>>     objectClass: idnszone
>>>>>>>>>     objectClass: top
>>>>>>>>>     objectClass: idnsrecord
>>>>>>>>>
>>>>>>>>> [root at vm-035 rpms]# ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>>>>>>> ipa: ERROR: tri.test.: DNS resource record not found
>>>>>>>>>
>>>>>>>> NACKing NACK
>>>>>>>> ipa dnsrecord-mod @ tri.test. --ns-rec=$(hostname).
>>>>>>>> you switched order zone and record, it should be
>>>>>>>> ipa dnsrecord-mod tri.test. @ --ns-rec=$(hostname).
>>>>>>>>
>>>>>>>
>>>>>>> BTW, since we are so nicely breaking the dnszone-add interface, can we also
>>>>>>> get rid of always asking for "Administrator e-mail address"?
>>>>>>>
>>>>>>>>> # ipa dnszone-add tri.test. --name-server=ns.test.
>>>>>>>>> Administrator e-mail address [hostmaster.tri.test.]:
>>>>>>> ...
>>>>>>>
>>>>>>> Is there any risk in filling that with default as any other attribute? IMO
>>>>>>> it would simplify adding zones for one more redundant step. CCing Rob in
>>>>>>> case he knows some historical reasons why this is requested every time.
>>>>>>>
>>>>>>> Martin
>>>>>> There is no risk, because ipa-replica-prepare do that with default values
>>>>
>>>> Then let us do this, as we are already simplifying the dnszone-add command.
>>>>
>>>>> However, this will not work with root zone ".",  and I'm not sure how often an
>>>>> admin email is used. I think whois is better utility to get contact email.
>>>>>
>>>>> Also RIPE-203 [1] recommends to use 'hostmaster' alias.
>>>>>
>>>>> [1] http://www.ripe.net/ripe/docs/ripe-203
>>>
>>> This will likely generate tons of invalid e-mail addresses which is somehow
>>> unfortunate.
>>>
>>> Please keep in mind that:
>>> 1) E-mail hostmaster at ipa.domain.example. will be useful only if
>>> ipa.domain.example. has MX record or at least A/AAAA record (which is usually
>>> not the case for domains).
>>>
>>> 2) WHOIS is not useful for internal domains which is the main deployment
>>> scenario for IPA, right?
>>>
>>>> DNS zone "." is quite an exception, you are not adding that zone every day. So
>>>> I would not keep asking for admin mail just for this one. You can add a
>>>> interactive prompt callback to ask in this case and otherwise just use the
>>>> default - up to you.
>>>>
>>>> As for the mail alias, this can be an RFE.
>>>
>>> It would be nice to have some IPA-global default like 'DNS administrator
>>> e-mail address' and to use this value for all DNS zones by default.
>>>
>> +1
>
> Please file an RFE for this part (requires schema update, doc update, ...). For
https://fedorahosted.org/freeipa/ticket/4542

> now I would stick just with using the defaults without asking (like in other
> commands). I think it involves just setting autofill to True.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list